NIST SP 800- 171 & Continuous Monitoring

May 8, 2018

NIST SP 800- 171 & Continuous Monitoring of security controls and cyber hygiene, are must for any DoD subcontractor looking to stay compliant. Traditionally, this process has been referred to as “Continuous Monitoring” as noted in NIST SP 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations.  It is important to note that both the terms “Continuous Monitoring” and “Ongoing Security Assessments” mean essentially the same thing and should be interpreted as such.

Performing ongoing security assessments help to determine whether the set of deployed security controls remain effective in light of any new exploits and attacks, including planned/unplanned changes that occur in the environment over time.

Contractors should pay attention to the following NIST 800-171 Continuous Monitoring Activities

  1. Independent Risk Assessment: Hire an outside consultant to test and ultimately validate that the various safeguards implemented are working as intended.
  2. Establish an Information Security Continuous Monitoring (ISCM) Program consisting of the following:
    1. Vulnerability and patch management
    2. Configuration management and compliance management
    3. Malicious software detection
    4. Event log management and reporting incidents to DOD and Prime Contractor.
    5. Annual contingency planning and incident response table top exercises.
    6. Updates of key security plans such as the system security plan, contingency plans and incident response plans.
    7. Annual role-based security training, insider threat, and security awareness training.
    8. Maintain a formal list of plans of actions and milestones for open findings.

The above tasks can be daunting to most organizations. However, there are tools that contractors can employ to provide situational awareness for majority of the NIST 171 SP 800-171 technical controls.  Security tools such as Security Information and Event Management (SIEM) tools can ingest information from configuration management software, vulnerability management scanners, firewalls, servers, intrusion prevention systems, databases, and antivirus software to produce dashboards, scoring, and reports that can aid with continuous monitoring initiatives.

As the threats to government systems continue to grow in complexity, it’s essential that contractors adopt best practices to protect their systems since they are the weakest link. Government regulations will continue to be more stringent due to the evolving threat landscape.

Implementing and maintaining 171 controls is less costly than dealing with a data breach and potentially loosing contracts with the government.

 

Join CKSS E-mail list to receive NIST SP 800-171 Special Promotions, TIPS, and Advisories.